Data Breaches Costing Customers, Not Just Money

A study by the Ponemon Institute found the average cost of data breaches - from detection to notification to lost business - is rising. The No. 1 cost to companies is lost business, which now accounts for 69 percent of total costs.

Data breaches are costly, and they are not getting any cheaper - particularly breaches due to third parties.

But data breach costs don't just come in the form of a line item expense tied to notification. They also come in the form of lost business opportunity, which is far and away the most expensive part of a data breach, according to a new study by the Ponemon Institute.

According to its survey, which was sponsored by PGP, the average cost of a data breach from detection to notification and response was $202 per record in 2008. That's an increase from $197 per record in 2007.

According to the study, lost business accounted for 69 percent of data breach costs in 2008, up from 65 percent in 2007 and 54 percent in 2006.

Ponemon based its findings on the experiences of 43 organizations that suffered data breaches. Eighty-four percent of those organizations had experienced a breach in the past.

Like other studies, Ponemon reported that most breaches were not due to hackers, but negligence of insiders. Breaches by third-party organizations such as outsourcers, contractors and consultants were reported by 44 percent of respondents, more than double the percentage in 2005. Third-party breaches tended to cost $52 more per record, averaging $231.

"My sense is that a lot of customers still have put far more effort into protection from the external threat than the internal threat," said Mark McClain, CEO of identity and access management vendor SailPoint Technologies. "They have a lot more in place to protect them against the infamous eastern European hacker than they do the rogue employee."

However, as we saw in the case of the Heartland Payment Systems breach and numerous incidents before that, cyber-crooks always have their eyes on corporate data. In the case of Heartland, the company first received word of suspicious activity involving credit card transactions it processed from Visa and MasterCard. It then began an investigation and found hackers had planted malware on their systems.

Once a breach happened, enterprises tended to invest in training and pursue encryption.

"The first thing they seem to do is they implement manual procedures and training, which makes sense given that so many of these breaches are caused by a negligent insider," said Larry Ponemon, chairman of the institute. "But from a technology perspective it appears that the most frequently used technology after a breach is encryption and a more holistic and strategic use of encryption seems to be implied by our researcher findings."

Since announcing the breach, officials at Heartland have established an internal department dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data in financial transactions.

Heartland CEO Robert O. Carr said that while the Payment Card Industry Data Security Standard is effective, the sophistication of cyber-thieves requires additional steps.

"There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required," he said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."

The idea that being PCI compliant may not fully protect customers or businesses has led to debates about the role of legislation in IT security. Though he agreed including guidelines about security technology in regulations is good, there is a danger that laws can fall too far behind the times, Ponemon warned.

"There is always a lag to regulations," he said. "Today they say you must do this type of encryption or that type of software protection but they are not cognizant of all the other big monstrous security threats and as a result what you implement is probably not state-of-the-art. You want to have some flexibility to innovate...not have laws that restrict innovation."